This repository contains tools and components for attesting confidential guests and providing secrets to them. Collectively, these components are known as Trustee. Trustee typically operates on behalf of the guest owner and interact remotely with guest components.
Trustee was developed for the Confidential Containers project, but can be used with a wide variety of applications and hardware platforms.
-
Key Broker Service The KBS is a server that facilitates remote attestation and secret delivery. Its role is similar to that of the Relying Party in the RATS model.
-
Attestation Service The AS verifies TEE evidence. In the RATS model this is a Verifier
-
Reference Value Provider Service The RVPS manages reference values used to verify TEE evidence. This is related to the discussion in section 7.5 of the RATS document.
-
KBS Client Tool This is a simple tool which can be used to test or configure the KBS and AS.
For further information, see documentation of individual components.
Trustee is flexible and can be deployed in several different configurations. This figure shows one common way to deploy these components in conjunction with certain guest components.
flowchart LR
AA -- attests guest ----> KBS
CDH -- requests resource --> KBS
subgraph Guest
CDH <.-> AA
end
subgraph Trustee
AS -- verifies evidence --> KBS
RVPS -- provides reference values--> AS
end
client-tool -- configures --> KBS
Use the following commands to build the container images for the Trustee components locally:
DOCKER_BUILDKIT=1 docker build -t kbs:latest . -f Dockerfile.kbs
DOCKER_BUILDKIT=1 docker build -t as-grpc:latest . -f Dockerfile.as-grpc
DOCKER_BUILDKIT=1 docker build -t as-restful:latest . -f Dockerfile.as-restful
DOCKER_BUILDKIT=1 docker build -t rvps:latest . -f Dockerfile.rvpsIf needed, use the following command to build the KBS Client (Trustee Client):
DOCKER_BUILDKIT=1 docker build -t trustee-client:latest . -f Dockerfile.trustee-clientThis repository provides a Docker Compose script to start a Trustee service locally with a single command.
The script uses the container images we published in the Alibaba Cloud ACR image repository by default. If you want to use your own container images, please modify the image field of each container in the Docker Compose script to your own container image address.
Before starting the Trustee service, you need to create an asymmetric key pair to represent the identity of the Trustee service owner. This key pair will be used to configure and modify some key policies and confidential data after the service starts:
openssl genpkey -algorithm ed25519 > kbs/config/private.key
openssl pkey -in kbs/config/private.key -pubout -out kbs/config/public.pubThen, use the following command to start the service locally with a single command:
docker-compose up -dAfter deployment, Trustee will listen on ports 8080 and 50005 locally to accept and process requests for the KBS Restful API and AS Restful API.
You can use the following four commands to view the runtime logs of KBS, AS (gRPC service), AS (RESTful service), and RVPS, and check the remote attestation verification results from the logs:
docker logs openanolis-trustee-kbs-1
docker logs openanolis-trustee-as-1
docker logs openanolis-trustee-as-restful-1
docker logs openanolis-trustee-rvps-1